Some sympathy for the devil: operating systems are just so…big.
Like, there’s an arbitrary code execution issue fixed here in ColorSync. ColorSync! Who thinks to attack the color management system, and then how do you set up your org structure to protect from attacks on that? Because…assuming they have much of a team on it at all, as it’s probably a bit of a solved problem…your core team is probably going to be focused on color, and not buffer overflows.
macOS has a lot of old components now, and just getting a grasp of where you could possibly have security issues must be nigh impossible.
I think you prevent these "corrupt file corrupts important memory" bugs in two ways: 1) use a memory safe language 2) write fuzz tests just like you'd write unit tests.
1 is becoming extremely viable, infrastructure for 2 is starting to be included with modern programming languages and so will soon become the norm.
> write fuzz tests just like you'd write unit tests
You're missing a key point the GP made, operating systems are big. There's also a finite number of person-hours in a development cycle. Third, fuzzing is a complicated and open ended process that's difficult to analyze.
Fuzzing is not a simple subject. Testing fuzzed input requires a lot of instrumentation that can affect measurements if it's instrumentation not enabled in production builds. Not all code is easily tested with fuzzed input even when it can be properly instrumented.
Because there's limited amounts of time in a day, every working moment can't be spent on the near infinite permutations of fuzzed input for every component on a system. Even automated test suites take time to run and then can only test known workflows or code paths.
An OS has thousands of components with complex graphs of those interacting components. There's vast surface area for bugs and limited time to explore it all. Just switching languages and adding more tests aren't going to make bugs go away.
Big makes it challenging. But also we are talking about big companies. The OSX/Apple, Windows/Microsoft and linux/IBM/Goog/Amazon/long-tail are big enough that they already invest lots in security and can invest even more. This is where central tooling teams and come into play.
I was at Apple for more than 15 years in SWE. The scale of OS builds isn't just big but just this side of intractable. They have tool and build teams. It's not an easily solved problem and you can't just throw money at it to make it so.
The OS has thousands of components with combinatorial amounts of different interactions and states. You can have multiple bug free components that create an exploitable situation in combination. The same is true for Windows or Linux or any large software project.
Unit tests are not magic. Neither is fuzzing. Even if you've got a great fuzzing infrastructure and coverage it still takes non-zero time for an engineer to analyze, understand, and then fix a problem. Many components in an OS require a fair amount of domain knowledge so engineers aren't fungible. You can't grab Sally from the Mail team and give her a bunch of CoreMedia bugs to fix.
Keep in mind all the companies you mention invest significantly in security and just barely keep ahead of exploits and often can't keep ahead of exploits. Hackers don't have the same burden. They don't need to find every bug. They only need to find a profitable one (depending on the hat they're wearing). They also don't need to maintain their exploit in future versions. They just move on to find the next exploit.
It's important to bring it up because there's quite a few people who don't want to adopt Rust for one reason or another, but want a mature lower level language alternative to what they're using now.
I try to mention Ada when people are looking for something with its characteristics, but don't appear to have considered it. I try not to hijack threads or interject, be rude or overbearing, though it has probably read that way at least once.
> That is why i keep mentioning Ada in the hope to balance the "Memory Safe language" selection bias.
Ada suffers from a lack of proper marketing and being misunderstood. The Ariane 5 disaster gets mentioned as reason to not use it, but not Ariane 5's track record since as of the most reliable payload rockets in history (including a streak of 80+ successive launches), and because of this was picked to launch the James Webb Space Telescope. Ada's usually mentioned along with COBOL or Modula-2, so I expected a bloated bureaucratic grotesque language, not a modern one with decent tooling and a package manager. While it may have been "complicated" when released, the newer versions, especially Ada 2012 have really polished up the language well.
I've been productive in it since the early months of using it, and it has exceeded most of my expectations.
I guess there are multiple issues with memory safe language bringing Rust into the talk.
One is the naive one, someone that lacks the proper background and for whatever reasons thinks it is the only way, thus Rust.
Then we have those that are aware, but think all the other safety approaches are not valid for whatever reason, thus Rust.
Then we have those that kind of feel threatened by the security awareness that Rust brings into the picture, so whenever we talk about security, there is pavlovian reaction that it must be Rust when the subject is security.
Picking any language that embraces bounds checking enabled by default, and proper string/arrays, is already a major improvement.
>Picking any language that embraces bounds checking enabled by default, and proper string/arrays, is already a major improvement.
Even bog standard C can be made safe, and include bounds checking if you create and consistently use an API that supports that mindset - see for e.g. Microsoft's string safe lib (not that I'm saying that is the epitome of such a thing).
However the will and the effort has to be there, C is an incredibly flexible and capable language and can be as safe as you want it to be.
The last Random ascii article I read, he found an easily exploitable buffer overflow in iOS simply by checking the code to see where it used memmove and worked out the exploit from there, guessing correctly that there was no bounds checking. So it seems that the usual culprits are fairly easy to spot, but somebody needs to replace the worst APIs with something safer (memmove, memcpy, memset, malloc, a = b).
Any "safe" string library for C that uses pointer and length as separate arguments is safe only in name.
Microsoft does it, because it comes along with SAL[0], which is kind of Microsoft's own Frama-C.
Also as long as WG14 doesn't care, everyone will keep passing char* around while hoping it is actually null terminated and points to the right place in memory.
Technically, ISO C could get safer types, or have something like SAL/FORTIFY, but as you say, without will it will never happen.
Please keep fighting. The automatic association here on memory safe language with Rust annoys me as well, just as the one about mixing languages on a VM and WebAssembly. Both features are available since decades on C# and the CLR, and Java and the JVM to name a few.
The quote was "corrupt file corrupts important memory" which is exactly what WUFFS is for. In Rust you can screw up badly enough to still have the bug, doing so is harder but not impossible - but in WUFFS the stupidest file format parsing you can do is merely wrong and can't corrupt anything. In WUFFS possible outcomes of incompetent morons reading an image file include: the colours in the image are wrong, the image is just a solid black or white rectangle because they didn't remember to actually render the image, bits of it are smashed up somehow, and so on. Notice how it's always about the image? WUFFS can't express programs that do other stuff.
General purpose languages are cool, but their unlimited expressiveness is exactly what you don't want for security. Why is this PNG loader able to make network connections and control my camera? You know a bad guy will find a way to force it to use those capabilities right?
Directionally, yes, I want more parts of more OSes written in Rust and other languages that allow building safe abstractions over unsafe code. This is table stakes in 2022.
Which is exactly why we need to use safe languages. People can't even prevent vulnerabilities in the code they are scrutinizing, much less the other 90% they aren't.
(Beating a dead horse, I know, and not blaming the devs because this utility has been around forever, but regardless)
It’s a horse worth beating, or at least kicking, because it’s a tough set of incentives.
Even if you have functionally unlimited money like Apple, it’s tough to prioritize rewriting a somewhat obscure piece of the OS solely to prevent security issues. Because if you have a team that’s capable of fully reimplementing this component, and getting it through a QA process to make sure it doesn’t break another component of the OS…well damn, that’s a team you probably want on a higher-profile project, and not doing cleanup, right?
Yeah, rewriting is hard and involves lots of complex cost tradeoffs. But at least when writing new software, with today's options, I think it's much harder to justify starting out with an unsafe language.
The options were always there since around 1958, then about 15 years later, a group of folks doing their tiny OS decided to ignore them when creating their fun little language, because it was more fun to do their own thing.
The problem is that this tiny OS and accompaning language grew to be everywhere thanks to its license, so now we are in this mess.
But options? They have always been there for those that actually care.
The hard part is interoperability. Apple is writing lots of things in Swift today, but low level libraries that are used in many places are hard to do in Swift. Interoperability with C often requires very difficult casts, and if you do them incorrectly you'll have the same kinds of bugs as in C.
And, on top of that, how much confidence do you have that your brand new code doesn’t introduce more security issues than the ancient “battle-tested” code?
In a sense strncpy() is exactly the sort of unsafe nonsense that got C into trouble.
C's strings are zero byte terminated, but the strings strncpy() is intended to target are not, they're file names in a fixed length buffer. So, it's fine to fill the entire buffer with text and no terminator, or to write a single byte of text, and fill the rest with zero bytes. If that's the exact problem you have, strncpy() is the exact feature you wanted. Otherwise it isn't.
If you aren't aware of why Unix wanted this feature it's a very strange thing to find in C's small standard library.
Since you pick on that example, yes I am unsurprised about an exploit in ColorSync. The bugs in ColorSync in combination with Photoshop are legend: for example, there was a "black crush" bug doing the rounds of photo blogs and forums which persisted for months. More recently, it was not possible to disable ColorSync when printing, which made it impossible to calibrate printers (that is, measure the printed result with a spectrophotometer in order to derive new ColorSync tables). And furthermore, I don't think it is actually the first colour profile exploit I've heard of, although I forget whether it was Apple's or someone else's.
However much of a team they have on ColorSync, it needs to be bigger. If they don't have code fixes to make, there's plenty of other things for them to get on with. I didn't think much of the API documentation, and multiple people who seemed credible to me claimed there wasn't enough detail for the kind of implementation Adobe and others need, as several calls have been deprecated. And, since Apple no longer offer their own competing product it would make sense to assist Adobe in getting it reliably right.
More than that, the calibration software for monitors is third party and, at least for the photo monitor I have... could be better. These monitors use onboard hardware LUTs instead of doing it in the GPU, so the software is hardware-specific. Fortunately, there are only a couple of brands who offer these high-end monitors, maybe 3 if you count LG, so there isn't all that much hardware to support. It's another case where the overall experience could be improved for a segment of Apple's customers if they put the effort in. There may even be money to be made.
ColorSync shouldn't have been an "old" component, if Apple had kept their eyes on what their users needed. Instead they went and changed Music again, which has apparently not pleased its users. It's a company whose management seems obsessed with a fairly narrow range of applications like home automation and instant messaging, the kinds of things shown in 1970s TV programs about the "future". If they widened their horizons more they would end up cycling through more of the many components of macOS more often, so things got timely refreshes.
I’m a UI designer/graphic designer/photographer who has had a Mac since 1994. (And I’m not even 40 yet.) ColorSync just popped out at me as one of those “I am not shocked something from the Classic days is causing issues.”
I think they have their eye on the 20% – the return of the SD card reader on Macbooks is mainly for photographers and videographers – but they just can't see very well.
Though the Monterey update fixes 13 CVEs and the Big Sur and
Catalina updates only address 7 and 5 CVEs respectively.
It seems unlikely that Big Sur just isn't vulnerable to so many of the Monterey CVEs and instead this is just Apple prioritizing fixes for the latest macOS version. Officially Apple of course only provides security updates for the latest version.
Big Sur is the latest supported version on some Retina MacBook Pros, so it's not such a bad idea for Apple to still provide updates for critical issues
I finally upgraded to Monterey from Mojave this past weekend. I somehow didn’t get the memo that it was no longer getting security updates until my head security engineer said it last week
One reason I keep a High Sierra + Mojave machine around is that 32-bit apps will not run on anything after Mojave. This includes Catalina, Big Sur, and Monterey.
If you’re using old versions of Office, Adobe CS5 or CS6, or if you need the functionality of QuickTime Player 7 then you’ll need to find other options.
For example, there is no other app for Mac that handles the assembly of time lapses with the simplicity and speed of QT7. Many apps will do it, but in a more cumbersome way.
I'm 99% sure it's the AMD graphics driver, yes. I did see someone link the "amd-osx.com" website, but it seems unlikely that Apple would be issuing security fixes for that.
Given another RCE bug was found in the intel graphics driver, easiest speculation would probably suggest the graphics driver. Also apple doesn't usually refer to them as drivers, so that's probably adding confusion too.
Apple's marketing and developer documentation usually refers to x86-64 as "Intel". Since Intel makes the only x86 CPUs legally allowed to run macOS, I suppose it's not completely silly. 'uname -m' says x86_64.
According to Google, the only mention of "amd64" on developer.apple.com (excluding the forums) is here[1], where they refer to which Ubuntu image you should download to set up an Ubuntu VM on "Intel-based Mac computers".
It is called amd64 because no one was sure if Intel would bring x86 to 64bit, and if they did, no one was sure it would be compatible with AMD’s implementation.
This was long requested from the security community, so hopefully they keep it up going forward! This would probably go a long way in terms of rebuilding their developer trust.
Yeah, that's been around for a while, but my guess is most people don't look at the security updates. That safari IndexedDB leak really was publicized so this update is probably getting more attention.
Why? I find this such an annoying feature having to accept every app to access my different folders. This should be a global setting to set once and allow for exceptions to be added when you want to restrict an app.
I absolutely despise this too. To me, a better solution would be to ask for every possible permission on install… you deny the ones you don’t like and go on with you life …. IF I need to enable those to do something afterwards, then programs just prompts for permission again.
The way I’ve dealt with this “let’sPretendUsersAreRetarded” annoyance is to actively add newly installed apps to the “Full Disk Access” list in the “security&privacy”-“privacy” section of system preferences as soon as I install them. Then I don’t have to allow permission everytime I open a new folder.
Thank you for posting this! Definitely had some concern about the IndexedDB leak, so good to know the new release is out (and has a fix for the issue) so I can update ASAP.
It's easy to stress over the number of things here, but remember: every org probably has a huge list of these, known-and-sitting on the backlog, so if there's this many in the changelog it means that someone actually cares enough to bring them forward vs. yet another UX refresh or something like that.
If that's supposed to be an analogy, it's a pretty poor one.
A still poor analogy but a bit more suitable to this case: the power company notified me that there's a problem with my electrical wiring. I'm fixing those issues in my house and warning the neighbors.
Neighbor has the same problems or worse but they are not fixing any issues.
Unless it's a zero day exploited in the wild, it's not "on fire", it's preventing one.
Its accurate in type but not degree. Obviously these security threats are not immediately life threatening. But the presumption that other companies have equally concerning security threats doesn't make these threats any better. It's also not clear that others have the same issues to this degree.
You're given this warning when you fire up the interpreter (at least in Monterey):
> WARNING: Python 2.7 is not recommended.
This version is included in macOS for compatibility with legacy software.
Future versions of macOS will not include Python 2.7.
Instead, it is recommended that you transition to using 'python3' from within Terminal.
I don't know, I already find Catalina way too buggy for my taste. I expect this to only get worse with later OSs, as it happened time and again in the past several years. I'll hold off on upgrading until it's absolutely unavoidable.
This issue was killing my battery, but I don't use bluetooth on this laptop at all, so going to Settings > Bluetooth and turning it off completely fixed the issue for me. Haven't seen a bluetoothd process in ~2 weeks now.
It's more 'everyone on macOS update right now', which is a pretty regular thing on Windows, too. Catalina is still supported, so all the 2012 Macs are still updated.
The "real" list is often much longer since Apple (IIRC) doesn't add CVEs to bugs they discover interally, and doesn't disclose them in these changelogs.
And this update has very little security content compared to previous ones, for example 12.1 had 42 entries (13 entries for 12.2).
Like, there’s an arbitrary code execution issue fixed here in ColorSync. ColorSync! Who thinks to attack the color management system, and then how do you set up your org structure to protect from attacks on that? Because…assuming they have much of a team on it at all, as it’s probably a bit of a solved problem…your core team is probably going to be focused on color, and not buffer overflows.
macOS has a lot of old components now, and just getting a grasp of where you could possibly have security issues must be nigh impossible.